The Beauty School is committed to protecting the privacy and security of your personal data. This privacy notice describes how we collect and use personal data about you during and after your relationship with us ends, in accordance with the General Data Protection Regulation (GDPR).
This privacy notice is for distribution amongst all employees, workers, contractors, agency workers,
consultants and directors (Personnel) of The Beauty School. Please note that there may be elements of the notice that are not applicable to you according to the specific role you undertake within The Beauty School.

This privacy notice applies to current and former Personnel. We may update this notice at any time.
We may collect, store, and use the following categories of personal data about you:

• [Personal contact details such as name, title, addresses, telephone numbers, and personal
email addresses.]
• [Date of birth.]
• [Gender.]
• [Your Child’s Name and PPSN [e.g. for purpose of tracking Parental Leave]
• [Name other instances where family events are organised and family information might be
collected e.g. celebrations/Christmas]
• [Marital status and dependants [for example for example might be required for pension
purposes]
• [Next of kin and emergency contact information.]
• [PPSN/National Insurance number.]
• [Bank account details, payroll records and tax status information.]
• [Salary, annual leave, pension and benefits information.]
• [Start date.]
• [Location of employment or workplace.]
• [Copy of driving licence.]
• [Recruitment information (including copies of right to work documentation, references and
other information included in a CV or cover letter or as part of the application process).]
• [Employment records (including job titles, work history, working hours, training records and
professional memberships).]
• [Compensation history.]
• [Performance information.]
• [Disciplinary and grievance information.]
• [CCTV footage and other information obtained through electronic means such as swipe card
records.]
• [Information about your use of our information and communications systems.]
• [Photographs for example for use in an identification card/for identifying staff on a website
etc.]
• [Recording of your voice].
• [Visa/Immigration/right to work or residential status]
• Criminal offences for specific functions *subject to the finalisation of the national
implementing legislation
We may also collect, store and use the following “special categories” of more sensitive personal data:
• [Information about your race or ethnicity, [religious beliefs and political opinions.]
• [Trade union membership.]
• [Information about your health, including any medical condition, health and sickness records.]
• [Biometric data.]

How we collect the informationWe collect personal data about Credit Union Personnel from the following sources:

• You;
• the application and recruitment process, either directly from candidates or from third parties
• a recruitment agency, third party placement firm or job search website;
• We may sometimes collect additional information from third parties including [former
employers, background check provider or credit reference agencies];
• [Access NI in respect of criminal convictions for specific functions if required];
• References which have been provided to us

We will collect additional personal data in the course of role-related activities throughout the period
of you working for us.

Why we collect the information and how we use itWe will use your personal data for the following purposes:
• Where we need to perform the contract we have entered into with you;
• Where we need to comply with a legal obligation;
• Where it is necessary for our legitimate interests (or those of a third party) and your interests;
and fundamental rights do not override those interests. If we rely on our legitimate interest, we will
tell you what that is.
We may also use your personal data in the following situations, which are likely to be rare:
• Where we need to protect your interests (or someone else’s interests).
• Where it is needed in the public interest [or for official purposes].

Situations in which we will use your personal dataWe need all the categories of information in the list above primarily to allow us to perform our
contract with you and to enable us to comply with legal obligations.
In some cases we may use your personal data to pursue legitimate interests of our own provided your
interests and fundamental rights do not override those interests.

Planned data transmission to third countriesThere are no plans for a data transmission to third countries.

The situations in which we will process your personal data are listed below.Fulfilling contract. This basis is appropriate where the processing is necessary for us to manage our
contract with you
Making a decision about your recruitment or appointment to future roles that may become available
Determining the terms on which you work for us. Conducting performance reviews, managing
performance and determining performance requirements.
Paying you and, if you are an employee, deducting tax and other legal contributions. Making
decisions about salary reviews and compensation.
Providing the following benefits to you:
…………………………..
Assessing qualifications for a particular job or task, including decisions about promotions.
Liaising with your pension provider.
Gathering evidence for possible grievance or disciplinary hearings.
Administering the contract we have entered into with you.
Making decisions about your continued employment or engagement.
Education, training and development requirements.
Making arrangements for the termination of our relationship.

Our legal duty. This basis is appropriate when we are processing personal data to comply with EU
law or UK or Northern Ireland Law
Ascertaining your fitness to work and working capacity e.g. pre-employment medicals and
occupational health assessments
Checking you are legally entitled to work in the United Kingdom.
Recording of working hours, annual leave and public holidays
Using a biometric system for managing working time records
Dealing with legal disputes involving you, or other Personnel, including accidents at work.
Complying with health and safety obligations.
Equal opportunities monitoring.
To prevent fraud.
Compliance with social security and social protection laws e.g. processing certain data to pay sick
pay, maternity benefit, paternity benefit
Gathering evidence for possible grievance or disciplinary hearings.
Making arrangements for the termination of our working relationship.

Legitimate interests. A legitimate interest is when we have a business or commercial reason to use
your information. But even then, it must not unfairly go against what is right and best for you. If we
rely on our legitimate interest, we will tell you what that is.
To monitor your use of our information and communication systems to ensure compliance with our
IT policies. Our legitimate interests: our IT policies are in place to protect our IT infrastructure
including business continuity.
Using CCTV to protect the assets and security of the business. Our legitimate interest: CCTV is used
by the business in line with our policies
To ensure network and information security, including preventing unauthorised access to our
computer and electronic communications systems and preventing malicious software distribution.
Our legitimate interest: It is important to ensure continuity of service to our customers and to
comply with our obligations that appropriate IT technical and security measures are in put in place.
To conduct data analytics studies to review and better understand Personnel retention and attrition
rates. Our legitimate interest: It is important that we understand our retention and attrition rates to
ensure that we address any issues.
Voice Recording. Our Legitimate interest: Voice recording is used by the business in line with our
policies

Vital interests: The Processing is necessary to protect the vital interests of the data subject or
another individual
Using an employee’s emergency contact number. In the event of an emergency it will be necessary
for us to contact your emergency contact, next of kin or other contact
Some of the above grounds for processing will overlap and there may be several grounds which
justify our use of your personal data.

If you fail to provide personal dataIf you fail to provide certain information when requested, we may not be able to perform the
contract we have entered into with you or we may be prevented from complying with our legal
obligations (such as to ensure the health and safety of our individuals undertaking a role within the
business). If there are any changes to your personal data (e.g. a new address), you should let us
know as soon as possible.

Change of purposeWe will only use your personal data for the purposes for which we collected it, unless we reasonably
consider that we need to use it for another reason and that reason is compatible with the original
purpose. If we need to use your personal data for an unrelated purpose, we will notify you and we
will explain the legal basis which allows us to do so. This will only be done in accordance with our
policies.
Please note that we may process your personal data without your knowledge or consent, in
compliance with the above rules, where this is required or permitted by law.

HOW WE USE SENSITIVE PERSONAL DATA”Special categories” of particularly sensitive personal data require higher levels of protection. We
need to have further justification for collecting, storing and using this type of personal data. We may
process special categories of personal data in the following circumstances:
1. In limited circumstances, with your explicit written consent.
2. Where we need to carry out our legal obligations and in line with our data protection policy.
3. Where it is needed in the public interest, such as relation to our occupational pension scheme,
insurance or health insurance, and in line with our data protection policy.
4. Where it is needed to assess your working capacity on health grounds, subject to appropriate
confidentiality safeguards.
Less commonly, we may process this type of information where it is needed in relation to legal
claims or where it is needed to protect your interests (or someone else’s interests) and you are not
capable of giving your consent, or where you have already made the information public.

Our obligations as an employerWe will use you sensitive personal data in the following ways:
• We will use information relating to leaves of absence, which may include sickness absence
or family related leaves, to comply with employment and other laws.
• We will use information about your physical or mental health, or disability status, to ensure
your health and safety in the workplace and to assess your fitness to work, to provide appropriate
workplace adjustments, to monitor and manage sickness absence and to administer benefits.
• We will use trade union membership information to pay trade union premiums, register the
status of a protected employee and to comply with employment law obligations.
• We will use information about your race or national or ethnic origin to establish if we
require a work permit for you to be eligible to work for us and community background, to ensure
meaningful equal opportunity monitoring and reporting.

Do we need your consent?Under the General Data Protection Regulation (GDPR), the requirements for valid consent have
been made much stricter. Consent must be freely-given, specific, informed and revocable. The
GDPR expressly states that, where there is an imbalance of power between the party giving consent
and the party receiving it, consent will not be valid. On the basis of our relationship with you,
consent would not be valid. We therefore rely on other legal bases to process your personal data as
set out in this privacy notice.
Where you have a genuine choice as to the processing, and in limited circumstances, we may
approach you for your written consent to allow us to process certain particularly sensitive data. If we
do so, we will provide you with full details of the information that we would like and the reason we
need it, so that you can carefully consider whether you wish to consent. You should be aware that it
is not a condition of your contract with us that you agree to any request for consent from us.

INFORMATION ABOUT CRIMINAL CONVICTIONSWe may only use personal data relating to criminal convictions where the law allows us to do so.
We will only collect personal data about criminal convictions if it is appropriate given the nature of
the role and where we are legally able to do so.
Where we do process criminal data we will ensure that appropriate additional safeguards as
required by the Data Protection Act 2018 are in place.

How we may share the information and how secure is my information?We may also need to share your personal data with other parties, such as HR consultants, insurers
and professional advisers. All our third-party service providers are required to take appropriate
security measures to protect your personal data in line with our policies. We do not allow our third party service providers to use your personal data for their own purposes unless they are deemed to
be data controllers in their own right. We only permit them to process your personal data for
specified purposes and in accordance with our instructions. Usually, information will be anonymised
but this may not always be possible. The recipient of the information will also be bound by
confidentiality obligations. We may also need to share your personal data with a government agency
or to otherwise comply with the law.
The following activities are carried out by third-party service providers:

Why might you share my personal data with third parties?We may share your personal data with third parties where required by law, where it is necessary to
administer our relationship with you or where we have another legitimate interest in doing so.

Planned data transmission to third countriesThere are no plans for a data transmission to third countries

Data Retention PeriodsWe will only retain your personal data for as long as necessary to fulfil the purposes we collected it
for, including for the purposes of satisfying any legal or accounting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature,
and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure
of your personal data, the purposes for which we process your personal data and whether we can
achieve those purposes through other means, and the applicable legal requirements.
In some circumstances we may anonymise your personal data so that it can no longer be associated
with you, in which case we may use such information without further notice to you. Once you are no
longer Personnel we will retain and securely destroy your personal data in accordance with data
retention schedule which is available on http://www.ico.org.uk/.

Changes to this privacy noticeWe reserve the right to update this privacy notice at any time, and we will provide you with a new
privacy notice when we make any substantial updates. We may also notify you in other ways from
time to time about the processing of your personal data.

Automated decision-makingWe do not envisage that any decisions will be taken about you using automated means, however we
will notify you in writing if this position changes.
If you have any questions about this privacy notice, please contact The Data Protection Officer,
at The Beauty School

I,___________________________ (employee, contractors, agency workers, consultants, directors)
acknowledge that on _________________________ (date), I received a copy of The Beauty School privacy notice for employees, workers and contractors and that I have read and understood it